Get started with SSL server certificates for AWS Application Load Balancer

Photo by Sigmund on Unsplash

Get started with SSL server certificates for AWS Application Load Balancer

SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer Security), are protocols used to secure the communication between a client (e.g., a web browser) and a server (e.g., a website). When referring to SSL in most modern contexts, it's often synonymous with TLS, but technically, SSL is an older version of the protocol.

More about secure SSL/TLS communication can be found here: Basics of SSL/TLS secure connection

An SSL server certificate, commonly referred to as an SSL certificate, is a digital certificate that:

  1. Authenticates the Identity of a Website: It verifies that the domain to which you're connecting actually belongs to the entity it claims to be associated with. This prevents man-in-the-middle attacks where a malicious actor could pretend to be a certain website.

  2. Enables Encrypted Connection: It provides the public key that allows the client and server to establish an encrypted connection. Only the server, with its private key, can decrypt information encrypted with the public key.

Why Deploy an SSL Certificate to a Load Balancer?

A load balancer is a device or service that distributes incoming network traffic across multiple servers to ensure that no single server is overwhelmed with too much traffic. Load balancers can be found in various forms, from software-based solutions like Nginx and HAProxy to hardware appliances from vendors like F5 or Cisco.

Here's why you might deploy an SSL certificate to a load balancer:

  1. SSL Termination: One of the primary reasons is to offload the resource-intensive process of encrypting and decrypting SSL/TLS traffic from the backend servers to the load balancer. This is known as "SSL termination." When the load balancer handles this process, it frees up resources on the backend servers and can improve performance.

  2. Centralized Certificate Management: Managing SSL certificates on a single load balancer (or a few of them) is simpler than managing certificates on many backend servers. Renewals, revocations, and updates are easier to handle.

  3. Uniform SSL Configuration: Having SSL configured at the load balancer level ensures that all the servers behind it benefit from the same level of encryption and security policies. This makes it easier to enforce best practices and keep configurations consistent.

  4. End-to-End Encryption: While SSL termination is common, some setups require end-to-end encryption where traffic remains encrypted even between the load balancer and the backend servers. In this case, the load balancer still needs the SSL certificate to decrypt traffic, inspect it if necessary (for routing decisions or other purposes), and then re-encrypt it before sending it to the backend.

  5. Client Trust and Compliance: Some industries or applications might be subject to regulations that require encrypted transmission of data. Having SSL on the load balancer ensures that client data is encrypted during transit.

  6. Security: In addition to encryption, SSL/TLS provides data integrity. This means that as data is transmitted between the client and server (via the load balancer), it cannot be tampered with without detection.

Deploying an SSL certificate to a load balancer helps streamline certificate management, improves performance by offloading encryption tasks, and ensures secure, encrypted communication between clients and servers.

Certificate management in AWS

Amazon Web Services (AWS) provides several services and features to manage and use SSL/TLS certificates within its ecosystem. Here's an overview of how SSL certificates are managed in the context of AWS Cloud:

  1. AWS Certificate Manager (ACM):

    • Certificate Provisioning: ACM allows users to easily provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and internal connected resources.

    • Free Certificates: For domains managed through Route 53 (or domains that you can validate ownership of), ACM provides SSL certificates at no additional charge.

    • Automatic Renewals: Certificates provided by ACM are automatically renewed before they expire, eliminating the manual process of renewal and redeployment.

    • Private Certificates: With ACM Private CA, you can create and manage private certificates for your organization's internal use.

  2. Integration with AWS Services:

    • Many AWS services are integrated with ACM, allowing you to easily deploy SSL/TLS certificates. For example:

      • Elastic Load Balancing (ELB): You can assign ACM certificates to your load balancers to handle SSL termination.

      • Amazon CloudFront: You can use ACM certificates with your CloudFront distributions for content delivery over HTTPS.

      • API Gateway: Secure your APIs by associating ACM certificates.

      • Elastic Beanstalk: Use ACM certificates for your application environments.

  3. Manual Certificate Management:

    • While ACM is convenient, you can also upload and use your own SSL/TLS certificates if you've obtained them from an external certificate authority (CA).

    • Such manual management requires you to handle certificate renewals, safely store private keys, and update the certificate in any AWS services you've attached it to when it's renewed.

  4. IAM (Identity and Access Management) Certificates:

    • Historically, before ACM became prevalent, SSL certificates could be uploaded to IAM and then used with services like CloudFront or ELB. However, this method is less common now due to the conveniences ACM offers. If you're using this older method, AWS recommends transitioning to ACM.
  5. Security:

    • ACM securely stores and manages the private keys used with certificates. AWS uses hardware security modules (HSMs) to protect the confidentiality and cryptographic keys' integrity.
  6. AWS Key Management Service (KMS):

    • While not directly about SSL certificate management, KMS is often used in tandem with encryption solutions on AWS to manage cryptographic keys used for encrypting data. It's worth noting this service when discussing encryption in the AWS context.
  7. Certificate Transparency:

    • AWS Certificate Manager logs all public SSL/TLS certificates it issues in certificate transparency logs, helping maintain a transparent system where domain owners can detect misissuance of certificates for their domains.

When managing SSL/TLS certificates on AWS, it's essential to ensure that they are applied correctly across services, renewed on time (if not using ACM's auto-renewal), and that security best practices (like using strong ciphers and protocols) are followed in the associated AWS services.

Create an HTTPS listener for your Application Load Balancer

A listener checks for connection requests. You define a listener when you create your load balancer, and you can add listeners to your load balancer at any time.

To create an HTTPS listener, you must deploy at least one SSL server certificate on your load balancer. The load balancer uses a server certificate to terminate the front-end connection and then decrypt requests from clients before sending them to the targets. You must also specify a security policy, which is used to negotiate secure connections between clients and the load balancer.

If you need to pass encrypted traffic to targets without the load balancer decrypting it, you can create a Network Load Balancer or Classic Load Balancer with a TCP listener on port 443. With a TCP listener, the load balancer passes encrypted traffic through to the targets without decrypting it.

Application Load Balancers do not support mutual TLS authentication (mTLS). For mTLS support, create a TCP listener using a Network Load Balancer or a Classic Load Balancer and implement mTLS on the target.

Application Load Balancers do not support ED25519 keys.

To add an HTTPS listener using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. On the navigation pane, choose Load Balancers.

  3. Select the load balancer.

  4. On the Listeners tab, choose Add listener.

  5. For Protocol : Port, choose HTTPS and keep the default port or enter a different port.

  6. (Optional) To authenticate users, for Default actions, choose Add action, Authenticate and provide the requested information. For more information, see Authenticate users using an Application Load Balancer.

  7. For Default actions, do one of the following:

    • Choose Forward and choose a target group.

    • Choose Redirect and provide the URL and status code. For more information, see Redirect actions.

    • Choose Return fixed response and provide a response code, optional identity provider, and optional response body. For more information, see Fixed-response actions.

  8. For Security policy, we recommend that you keep the console recommended security policy.

  9. For Default SSL/TLS certificate, do one of the following:

    • If you created or imported a certificate using AWS Certificate Manager, choose From ACM and choose the certificate.

    • If you uploaded a certificate using IAM, choose From IAM and choose the certificate.

  10. Choose Add.

  11. (Optional) To define additional listener rules that forward requests based on a path pattern or a hostname, see Add a rule.

  12. (Optional) To add a certificate list for use with the SNI protocol, see Add certificates to the certificate list.

References:

  1. Create an HTTPS listener for your Application Load Balancer

  2. Basics of SSL/TLS secure connection